ikev1: Only delete redundant CHILD_SAs if configured
authorTobias Brunner <tobias@strongswan.org>
Tue, 20 Jun 2017 10:50:36 +0000 (12:50 +0200)
committerTobias Brunner <tobias@strongswan.org>
Mon, 26 Jun 2017 08:33:16 +0000 (10:33 +0200)
If we find a redundant CHILD_SA (the peer probably rekeyed the SA before
us) we might not want to delete the old SA because the peer might still
use it (same applies to old CHILD_SAs after rekeyings).  So only delete
them if configured to do so.

Fixes #2358.

src/libcharon/sa/ikev1/task_manager_v1.c

index 48ec3e7..3472d2c 100644 (file)
@@ -1805,8 +1805,12 @@ METHOD(task_manager_t, queue_child_rekey, void,
                if (is_redundant(this, child_sa))
                {
                        child_sa->set_state(child_sa, CHILD_REKEYED);
-                       queue_task(this, (task_t*)quick_delete_create(this->ike_sa,
+                       if (lib->settings->get_bool(lib->settings, "%s.delete_rekeyed",
+                                                                               FALSE, lib->ns))
+                       {
+                               queue_task(this, (task_t*)quick_delete_create(this->ike_sa,
                                                                                                protocol, spi, FALSE, FALSE));
+                       }
                }
                else
                {